NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2001-q3

From: Togan Muftuoglu (toganmusers.sourceforge.net)
Date: Wed Sep 26 2001 - 14:48:38 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Michael Neumann; <mnsyk.de> on 26 Sep, 2001 wrote:
> Hi all,
>
> I use iptables as a firewall on my local machine to filter any incoming
^^^^^^^^^^^
> filtered. I have tried with DENY and REJECT but got the same report.
>

DENY is now DROP

the below is from the SENTRY Firewall CD

$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS

   ##------------------------------------------------------------------------##
   ## NMAP FIN/URG/PSH
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
                --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## SYN/RST
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
                --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## SYN/FIN -- Scan(probably)
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
                --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Make some types of port scans annoyingly slow, also provides some
   ## protection against certain DoS attacks. The rule in chain KEEP_STATE
   ## referring to the INVALID state should catch most TCP packets with the
   ## RST or FIN bits set that aren't associate with an established connection.
   ## Still, these will limit the amount of stuff that is accepted through our
   ## open ports(if any). I suggest you test these for your configuration before
   ## you uncomment them, as they could cause problems.

# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -j ACCEPT
##------------------------------------------------------------------------##

-- Togan Muftuoglu

-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]